[Maria-discuss] pam / ldap auth
Hi, I installed mariadb using the stock debian packages, configured pam authentication, and configured a mysql pam module like this:
/etc/pam.d/mysql auth required pam_winbind.so account required pam_winbind.so
As I also added the server to my AD domain, this basically gives my samba winbind users access to mysql using their windows credentials:
root@mysqlserver:~# mysql -udomain_username -p Enter password: <windows_domain_password> Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 6 Server version: 10.1.26-MariaDB-0+deb9u1 Debian 9.1
Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
So I was happy. Initially. :-) Until I found out this works only from the localhost mariadb is running on. Trying this from a remote mysql client gives:
user@e7470 ~ $ mysql -udomain_user -p -h mysqlserver.full.address Enter password: ERROR 2059 (HY000): Authentication plugin 'dialog' cannot be loaded: /usr/lib/mysql/plugin/dialog.so: cannot open shared object file: No such file or directory
and searching on that remote server for /usr/lib/mysql/plugin/dialog.so gives no results:
user@e7470 ~ $ dpkg --search /usr/lib/mysql/plugin/dialog.so dpkg-query: no path found matching pattern /usr/lib/mysql/plugin/dialog.so
Anyone here with a good suggestion how to make this work from a 'regular' remote mysql client? But more fundamentally: is it possible to have mariadb ldap auth on a server, *without* requiring anything special on the client side? MJ
Hi! On Sep 11, mourik jan c heupink wrote:
Until I found out this works only from the localhost mariadb is running on. Trying this from a remote mysql client gives:
user@e7470 ~ $ mysql -udomain_user -p -h mysqlserver.full.address Enter password: ERROR 2059 (HY000): Authentication plugin 'dialog' cannot be loaded: /usr/lib/mysql/plugin/dialog.so: cannot open shared object file: No such file or directory
and searching on that remote server for /usr/lib/mysql/plugin/dialog.so gives no results:
user@e7470 ~ $ dpkg --search /usr/lib/mysql/plugin/dialog.so dpkg-query: no path found matching pattern /usr/lib/mysql/plugin/dialog.so
Anyone here with a good suggestion how to make this work from a 'regular' remote mysql client?
But more fundamentally: is it possible to have mariadb ldap auth on a server, *without* requiring anything special on the client side?
Short answer - yes. Long answer: PAM works by asking questions that the user answers. Like, the password, PIN, S/Key, verification code, whatever. In MariaDB world, PAM server plugin gets the question from the PAM subsystem, forwards the question to the client, reads the answer from the client and passes it back to PAM. Repeat as necessary. For this to work, PAM plugin fundamentally needs something on the client side that can receive this arbitrary question, show it to the user, read the reply, and send it to the server. Normally, this is the dialog plugin. On debian it's part of the libmariadbclient18 package, for example: https://packages.debian.org/stretch/amd64/libmariadbclient18/filelist If you use the command line client from Oracle MySQL distribution, not from MariaDB, you won't have a working dialog plugin. But you sill have mysql_clear_password plugin. You can see it above in libmariadbclient18 list of files too, but in libmysqlclient it's compiled in, not a separate library. You can instruct PAM plugin (on the server side!) to use mysql_clear_password, not dialog: https://mariadb.com/kb/en/library/authentication-plugin-pam/#mysql-cleartext... the drawback, it only supports one question/answer, won't repeat if some PAM module needs it. For LDAP it should be sufficient, though. So 1) either use mariadb command line client and install all dependencies correctly, then you'll have dialog.so. Or 2) use oracle mysql command line client and configure the server to request mysql_clear_password plugin. Note that neither dialog nor mysql_clear_password encrypt answers they send to the server, so you should use SSL to protect your passwords. Regards, Sergei Chief Architect MariaDB and security@mariadb.org
Hi Sergei! Thank you very much, and this seems do exactly what we are looking for. And yes: we will take care of encrypting the traffic ourselves. On 9/11/2018 10:20 PM, Sergei Golubchik wrote:
Short answer - yes. Long answer:
A very long and elaborate answer indeed! :-) We will configure the server for mysql_clear_password. Next project: implementing mariaDB ACLs based on ldap groups. :-) Thanks again! MJ
Hi all, I'd like to ask an additional question re the subjectline. I have setup pam auth with pam_winbind.so on a debian 9 stretch samba domain member server, with mariadb 10.1 from the debian repo in "pam_use_cleartext_plugin" mode. I can logon (both ssh and mysql) with domain usernames fine, and the system knows group memberships too. (confirmed with "id ADusername") so basic functions all seem to work. Next is using groups for access control. So I tried following this: https://mariadb.com/resources/blog/configuring-pam-group-mapping-mariadb In short what I did: - download the 10.1 plugin - compile - copy to /lib/x86_64-linux-gnu/security/ (debian path, different from the howto) - made /etc/pam.d/mysql look like:
#%PAM-1.0 auth required pam_winbind.so account required pam_winbind.so auth required pam_user_map.so
- skipping the shadow stuff, as I guess it's not needed for winbind/ldap I have a user1 in AD, member of user1_grp, so for quick test I created: /etc/security/user_map.conf with:
@user1_grp: root
However, as soon as I add pam_user_map.so to mysql pam file, we're getting:
root@mariadb:~# mysql -uuser1 -p Enter password: Sep 24 12:37:47 mariadb mysqld: pam_winbind(mysql:auth): getting password (0x00000000) Sep 24 12:37:47 mariadb mysqld: pam_winbind(mysql:auth): user 'user1' granted access Sep 24 12:37:47 mariadb mysqld: pam_winbind(mysql:account): valid_user: wbcGetpwnam gave WBC_ERR_DOMAIN_NOT_FOUND ERROR 1045 (28000): Access denied for user 'user1'@'localhost' (using password: NO) root@mariadb:~#
When I remove pam_user_map.so from pam, logging in works again. Have been at at for a while now, and could really use some fresh input. Anyone done this..? On debian stretch? What am I missing..? Thanks!
Hi, So, much progression, by using the pam debug flags:
auth required pam_winbind.so debug account required pam_winbind.so debug auth required pam_user_map.so debug
reveiling this in /var/log/debug:
Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): [pamh: 0x7ff70141f480] ENTER: pam_sm_authenticate (flags: 0x0000) Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): getting password (0x00000001) Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): Verify user 'ADuser1' Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): request wbcLogonUser succeeded Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): user 'ADuser1' granted access Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): Returned user was 'ADuser1' Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): [pamh: 0x7ff70141f480] LEAVE: pam_sm_authenticate returning 0 (PAM_SUCCESS) Sep 25 11:02:55 mariadb mysqld: pam_user_map(mysql:auth): Opening file '/etc/security/user_map.conf'. Sep 25 11:02:55 mariadb mysqld: pam_user_map(mysql:auth): Incoming username 'ADuser1'. Sep 25 11:02:56 mariadb mysqld: pam_user_map(mysql:auth): User belongs to 38 groups [group1Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): [pamh: 0x7ff70141f480] ENTER: pam_sm_authenticate (flags: 0x0000) Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): getting password (0x00000001) Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): Verify user 'ADuser1' Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): request wbcLogonUser succeeded Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): user 'ADuser1' granted access Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): Returned user was 'ADuser1' Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): [pamh: 0x7ff70141f480] LEAVE: pam_sm_authenticate returning 0 (PAM_SUCCESS) Sep 25 11:02:55 mariadb mysqld: pam_user_map(mysql:auth): Opening file '/etc/security/user_map.conf'. Sep 25 11:02:55 mariadb mysqld: pam_user_map(mysql:auth): Incoming username 'ADuser1'. Sep 25 11:02:56 mariadb mysqld: pam_user_map(mysql:auth): User belongs to 3 groups [group1,group2,group3]. Sep 25 11:02:56 mariadb mysqld: pam_user_map(mysql:auth): Check if user is in group 'group1': YES Sep 25 11:02:56 mariadb mysqld: pam_user_map(mysql:auth): User mapped as 'root' Sep 25 11:02:56 mariadb mysqld: pam_winbind(mysql:account): [pamh: 0x7ff70141f480] ENTER: pam_sm_acct_mgmt (flags: 0x0000) Sep 25 11:02:56 mariadb mysqld: pam_winbind(mysql:account): valid_user: wbcGetpwnam gave WBC_ERR_DOMAIN_NOT_FOUND Sep 25 11:02:56 mariadb mysqld: pam_winbind(mysql:account): user 'root' not found Sep 25 11:02:56 mariadb mysqld: pam_winbind(mysql:account): [pamh: 0x7ff70141f480] LEAVE: pam_sm_acct_mgmt returning 10 (PAM_USER_UNKNOWN) ERROR 1045 (28000): Access denied for user 'ADuser1'@'localhost' (using password: NO)]. Sep 25 11:02:56 mariadb mysqld: pam_user_map(mysql:auth): Check if user is in group 'group1': YES Sep 25 11:02:56 mariadb mysqld: pam_user_map(mysql:auth): User mapped as 'root' Sep 25 11:02:56 mariadb mysqld: pam_winbind(mysql:account): [pamh: 0x7ff70141f480] ENTER: pam_sm_acct_mgmt (flags: 0x0000) Sep 25 11:02:56 mariadb mysqld: pam_winbind(mysql:account): valid_user: wbcGetpwnam gave WBC_ERR_DOMAIN_NOT_FOUND Sep 25 11:02:56 mariadb mysqld: pam_winbind(mysql:account): user 'root' not found Sep 25 11:02:56 mariadb mysqld: pam_winbind(mysql:account): [pamh: 0x7ff70141f480] LEAVE: pam_sm_acct_mgmt returning 10 (PAM_USER_UNKNOWN) ERROR 1045 (28000): Access denied for user 'ADuser1'@'localhost' (using password: NO)
So the problem is: I am mapping the login to user "root", which doesn't exist in AD. When mapping to an existing AD user, things started to work. Now the remaining 1.000.000$ question, if I may: The aim is to map AD users 'into' a local mariadb user. This does not work, as pam tries to find both the loginuser and the target mapped user. (see logs above) What (probably pam?) config is required to handle the case where we logon to mysql using AD usernames/passwords, and map/proxy those into a local mysql username..? Anyone? MJ
Hi, mj! On Sep 25, mj wrote:
Hi,
So, much progression, by using the pam debug flags:
auth required pam_winbind.so debug account required pam_winbind.so debug auth required pam_user_map.so debug
reveiling this in /var/log/debug:
Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): getting password (0x00000001) Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): Verify user 'ADuser1' Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): request wbcLogonUser succeeded Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): user 'ADuser1' granted access Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): Returned user was 'ADuser1' Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): [pamh: 0x7ff70141f480] LEAVE: pam_sm_authenticate returning 0 (PAM_SUCCESS) Sep 25 11:02:55 mariadb mysqld: pam_user_map(mysql:auth): Opening file '/etc/security/user_map.conf'. Sep 25 11:02:55 mariadb mysqld: pam_user_map(mysql:auth): Incoming username 'ADuser1'. Sep 25 11:02:56 mariadb mysqld: pam_user_map(mysql:auth): User belongs to 3 groups [group1,group2,group3]. Sep 25 11:02:56 mariadb mysqld: pam_user_map(mysql:auth): Check if user is in group 'group1': YES Sep 25 11:02:56 mariadb mysqld: pam_user_map(mysql:auth): User mapped as 'root' Sep 25 11:02:56 mariadb mysqld: pam_winbind(mysql:account): [pamh: 0x7ff70141f480] ENTER: pam_sm_acct_mgmt (flags: 0x0000) Sep 25 11:02:56 mariadb mysqld: pam_winbind(mysql:account): valid_user: wbcGetpwnam gave WBC_ERR_DOMAIN_NOT_FOUND Sep 25 11:02:56 mariadb mysqld: pam_winbind(mysql:account): user 'root' not found Sep 25 11:02:56 mariadb mysqld: pam_winbind(mysql:account): [pamh: 0x7ff70141f480] LEAVE: pam_sm_acct_mgmt returning 10 (PAM_USER_UNKNOWN)
Thanks, that was very helpful!
So the problem is: I am mapping the login to user "root", which doesn't exist in AD.
When mapping to an existing AD user, things started to work.
Now the remaining 1.000.000$ question, if I may:
The aim is to map AD users 'into' a local mariadb user. This does not work, as pam tries to find both the loginuser and the target mapped user. (see logs above)
What (probably pam?) config is required to handle the case where we logon to mysql using AD usernames/passwords, and map/proxy those into a local mysql username..? Anyone?
pam_user_map renames the user in the pam module chain, that is, all following pam modules will see the new name. And because 'account' modules are invoked after 'auth', pam_winbind will see the new name. Do you really have to use account required pam_winbind.so line? I didn't try it myself, but I'd think that using account required pam_permit.so would help. That's what we're using to test MariaDB pam plugin in mysql-test framework. Regards, Sergei Chief Architect MariaDB and security@mariadb.org
Hi, On 09/25/2018 12:56 PM, Sergei Golubchik wrote:
pam_user_map renames the user in the pam module chain, that is, all following pam modules will see the new name. And because 'account' modules are invoked after 'auth', pam_winbind will see the new name.
Do you really have to use
account required pam_winbind.so
line? I didn't try it myself, but I'd think that using
account required pam_permit.so
would help. That's what we're using to test MariaDB pam plugin in mysql-test framework.
It does help, yes. So I guess I didn't need the line :-) I have everything I need working now. Thanks Sergei, great help! MJ
participants (4)
-
lists -
mj
-
mourik jan c heupink -
Sergei Golubchik